Contents

One my recent areas of focus for
The Sleuth Kit
and Autopsy has
been on incident response. The last issue of the Sleuth Kit
Informer was about using The Sleuth Kit to verify an incident and
Autopsy is undergoing some changes (see What's New) before it is
modified to make it easier to use for incident response. When the
transformation is complete, I will write an article on using Autopsy
for IR.

This issue goes back to the basics and we look at using 'dd' to
make an image of a disk or partition. There are other articles
that cover bits and pieces of this process, but I have found that
they are usually missing some part of the full story, such as using
netcat or using 'dcfldd'. So, this article is my version of "dd
101". Hopefully, I will be done with the Autopsy redesign by the
next issue and I will be able to discuss the new incident response
features.